dependency-review-action cannot find a license for dependency-review-action

[ericcornelissen]

On the first run this Action did in one of my repositories (first time using it) I looked at the output and noticed a curious log (full logs here):

We could not detect a license for the following dependencies:
.github/workflows/deps-analysis.yml » actions/dependency-review-action@2.0.4

From what I can tell, this repositories' license is present and well-formed (there's a LICENSE file, as well as the "license" entry in package.json, and GitHub displays the correct license in the UI).

I'm not sure what exactly the problem is, but I would not expect this Action to log a "problem" with itself.

[RobPasMue]

Also experiencing this issue in some of my repos... looking forward to its resolution! =)

[jcasner]

I'm finding this issue in testing this action, also. I tried importing a package with a proper license entry in it's package.json as well as a LICENSE file but am getting this message and not seeing the expected failure from the action.

EDIT
Updating with some details. In order to test this, I added a package (https://github.com/joachimdalen/DevUI) that is listed as GPL-3.0 on npm and github.

• package.json includes "license": "GPL-3.0" which appears correctly formatted
• https://github.com/joachimdalen/DevUI/blob/master/LICENSE appears correctly formatted
• The license appears to be recognized by Github and we can see the license as a GPL-3.0 license on the project homepage

I peeked under the covers at the github action and it is pulling the license from the github dependency-graph API

GET /repos/{owner}/{repo}/dependency-graph/compare/{baseRef}...{headRef}

For some packages, we're getting correct values (e.g.: dayjs is getting correctly marked with the MIT license). However, for this one the license is null in the API response, which the action can't interpret (obviously). I think this actually needs to be filed with the github API.

  {
    "change_type": "added",
    "manifest": "package-lock.json",
    "ecosystem": "npm",
    "name": "@joachimdalen/devui",
    "version": "2.0.0-rc12",
    "package_url": "pkg:npm/%40joachimdalen/devui@2.0.0-rc12",
    "license": null,
    "source_repository_url": "https://github.com/joachimdalen/DevUI",
    "scope": "runtime",
    "vulnerabilities": []
  },

[febuiles]

@jcasner Thanks for diving into this, to add further details: The API only returns licenses for the top N licenses for any given repo (not sure if N is the same for all ecosystems). I'm thinking that the best way to proceed here is to call the GitHub licenses API endpoint if license :null in the vulnerabilities payload, what do you think?

[febuiles]

License detection was improved in the latest release of the Action by adding a fallback to GitHub's License API. Please re-open this issue if you're still experiencing problems.

[raphaeldeem-jsq]

I am encountering this issue, is there a workaround to prevent the tool from flagging itself? Thanks!